The vendor of a certain, seven-figure software package that Thijs B's company relied on just released a new version that was no longer end-user configurable. Well, technically, it was... it just required the purchase of a $100,000 "configuration tool" instead of simply editing an XML file. While dropping $100K isn't too bad for most companies in the seven-figure software market, this particular company was frugal and thought it'd be worth investing some time before dropping a giant wad of cash. So, it was up to Thijs to see if the product was still configurable without the new tool.
Thijs opened up the familiar fieldset.xml file, but instead of finding a convoluted — but human-readable — mess of XML, he found this:
<?xml version="1.0" encoding="utf-8"?><FieldSmartConfiguration encoding="basic"> DQo8SGVhZGVyPg0KPFBsYXRmb3JtVmVyc2lvbj40LjMuMS4wPC9QbGF0Zm9ybVZl cnNpb24+DQo8L0hlYWRlcj4NCjxab25lcz4NCjxab25lIGlkPSIxIiBuYW1lPSJa b25lIDEiIGRlc2M9IlpvbmUgMSI+DQo8V29ybGQ+DQo8Qm91bmRzLz4NCjxNYXBB cmVhLz4NCjxPZmZzZXRzLz4NCjxXb3JsZFVuaXRPZk1lYXN1cmU+bWV0ZXJzPC9X b3JsZFVuaXRPZk1lYXN1cmU+DQo8TWFwQm91bmRzVW5pdE9mTWVhc3VyZT5tZXRl cnM8L01hcEJvdW5kc1VuaXRPZk1lYXN1cmU+DQo8RGlzcGxheVVuaXRPZk1lYXN1 cmU+dW5rbm93bjwvRGlzcGxheVVuaXRPZk1lYXN1cmU+DQo8TWFwRGF0YVVuaXRP [...] IjU4NDYiIG9iamVjdHR5cGU9InBvbGUiIGdyYXBoaWNpZD0iNDIxOCIvPg0KPC9O ZXdPYmplY3RzPg0KPC9JbnNwZWN0Pg0KPC9ab25lPg0KPC9ab25lcz4NCg== </FieldSmartConfiguration>
Given the technical maturity of their software, Thijs was confident that it would be possible to break this. He first set off to disassemble their .NET configuration tool, but that appeared to use a custom-crafted, native dll to retrieved the content of the XML file. Not backing down from the challenge, he noticed they were relying on the Windows Crypto API, so he opened windbg to trace the API calls, the encryption type, and hopefully, the decryption key.
After a bit of debugging, he saw the CryptAcquireContext()
passing along and quite a few CryptGenRandom()
calls, but no CryptDecrypt
. But then he realized something: the calls had less to do with code they wrote, and more what .NET was doing behind the scenes to verify the assemblies or so. Were the files even encrypted?
Thijs paid a little closer attention to the text, and noticed the telltale +
symbols throughout, and a telling ==
at the end. After recovering from a sobering facepalm, he opened up a quick Base64 decoder, and pasted the giant Base64 string in. In the blink-of-an-eye, this is what came out:
<Header> <PlatformVersion>4.3.1.0</PlatformVersion> </Header> <Zones> <Zone id="1" name="Zone 1" desc="Zone 1">
Amazingly, the vendor didn't even put any real effort in securing what they wanted secured. They did, however, completely re-implement Base64 by hand. That has to be atleast worth $64K.